[prev in list] [next in list] [prev in thread] [next in thread]
List: xen-users
Subject: Re: [Xen-users] Where does PyGrub run?
From: eva <evammg () gmail ! com>
Date: 2012-04-30 9:06:05
Message-ID: CAN-hevnrQxKBZTctYOBdyAxhk6j=JQokUb5qM6tN7kxKFBd94g () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 28 April 2012 05:42, Luke S. Crawford <lsc@prgmr.com> wrote:
> On Thu, Apr 26, 2012 at 12:26:13PM +0100, Simon Hobson wrote:
> > eva wrote:
> >
> > > Thanks for answering. I read that part, but afterwards I read the link
> > > that Luke posted that says:
> > >
> > > "The problem with PyGRUB is that while it's a good simulation of a
> > > bootloader, it has to mount the domU partition"
> > >
> > >
> > >
> http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F
>
> > >
> > > ..hence my confusion.
> >
> > Hmm, yes. One or other of the Wiki entries is wrong then.
>
> Technically, mine is wrong; it uses libfsimage to pull the kernel out
> of the block device, it doesn't mount it. But that has many of the
> dangers of mounting directly. (As someone else pointed out, I think,
> libfsimage can be run as something other than root, as long as it has read
> access to the block device, and that helps some, though by default I think
> it does run as root. But Pvgrub runs entirely within the guest, so there
> is no way a problem in pvgrub can lead to a dom0 compromise.)
>
> Note, pvgrub also protects you from, say, exploits in the code used to
> decompress the kernel; with pvgrub, the kernel is uncompressed within
> the DomU.
>
> > In that link I see the answer to your other query. In there, in
> > extolling the virtues of pvgrub, the author is hinting (but
> > explicitly stating) that he is providing a read-only volume which the
> > end user (DomU owner) cannot modify. In that read-only partition, he
> > has a basic (rescue) system which the DomU always boots "through" -
> > thus the end user can never ever completely trash his DomU to the
> > point that it won't boot anything.
> > My guess is that he has GRUB installed in the rescue partition, with
> > two entries - rescue and user. Rescue boots into the rescue system,
> > user (the default) chain loads a GRUB config from the user's normal
> > partition. In normal operation, the DomU will load the read-only
> > GRUB, chainload the user's GRUB, and then boot the user's OS. If the
> > user screws it up, he can interrupt the initial GRUB, boot into the
> > rescue system, and from there fix his own system.
>
> exactly.
>
>
>
Thank you guys to help me to clarify this point.
Regards, Eva
[Attachment #5 (text/html)]
<br><br><div class="gmail_quote">On 28 April 2012 05:42, Luke S. Crawford <span \
dir="ltr"><<a href="mailto:lsc@prgmr.com" \
target="_blank">lsc@prgmr.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<div class="im">On Thu, Apr 26, 2012 at 12:26:13PM +0100, Simon Hobson wrote:<br>
> eva wrote:<br>
><br>
> >Thanks for answering. I read that part, but afterwards I read the link<br>
> >that Luke posted that says:<br>
> ><br>
> >"The problem with PyGRUB is that while it's a good simulation of \
a<br> > >bootloader, it has to mount the domU partition"<br>
> ><br>
> ><br>
> ><a href="http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrust \
ed_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F" \
target="_blank">http://wiki.prgmr.com/mediawiki/index.php/Chapter_7:_Hosting_Untrusted \
_Users_Under_Xen:_Lessons_from_the_Trenches#PV-GRUB:_A_SAFER_ALTERNATIVE_TO_PYGRUB.3F</a><br>
> ><br>
> >..hence my confusion.<br>
><br>
> Hmm, yes. One or other of the Wiki entries is wrong then.<br>
<br>
</div>Technically, mine is wrong; it uses libfsimage to pull the kernel out<br>
of the block device, it doesn't mount it. But that has many of the<br>
dangers of mounting directly. (As someone else pointed out, I think,<br>
libfsimage can be run as something other than root, as long as it has read<br>
access to the block device, and that helps some, though by default I think<br>
it does run as root. But Pvgrub runs entirely within the guest, so there<br>
is no way a problem in pvgrub can lead to a dom0 compromise.)<br>
<br>
Note, pvgrub also protects you from, say, exploits in the code used to<br>
decompress the kernel; with pvgrub, the kernel is uncompressed within<br>
the DomU.<br>
<div class="im"><br>
> In that link I see the answer to your other query. In there, in<br>
> extolling the virtues of pvgrub, the author is hinting (but<br>
> explicitly stating) that he is providing a read-only volume which the<br>
> end user (DomU owner) cannot modify. In that read-only partition, he<br>
> has a basic (rescue) system which the DomU always boots "through" \
-<br> > thus the end user can never ever completely trash his DomU to the<br>
> point that it won't boot anything.<br>
> My guess is that he has GRUB installed in the rescue partition, with<br>
> two entries - rescue and user. Rescue boots into the rescue system,<br>
> user (the default) chain loads a GRUB config from the user's normal<br>
> partition. In normal operation, the DomU will load the read-only<br>
> GRUB, chainload the user's GRUB, and then boot the user's OS. If the<br>
> user screws it up, he can interrupt the initial GRUB, boot into the<br>
> rescue system, and from there fix his own system.<br>
<br>
</div>exactly.<br>
<div class="HOEnZb"><div \
class="h5"><br><br></div></div></blockquote><div><br></div><div>Thank you guys to \
help me to clarify this point.</div><div><br></div><div>Regards, Eva </div></div>
_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic